RFC 7801

GOST R 34.12-2015: Block Cipher "Kuznyechik"

Independent Submission V. Dolmatov, Ed.
Request for Comments: 7801 Research Computer Center MSU
Category: Informational March 2016
ISSN: 2070-1721
GOST R 34.12-2015: Block Cipher "Kuznyechik"
Abstract
This document is intended to be a source of information about the
Russian Federal standard GOST R 34.12-2015 describing the block
cipher with a block length of n=128 bits and a key length of k=256
bits, which is also referred to as "Kuznyechik". This algorithm is
one of the set of Russian cryptographic standard algorithms (called
GOST algorithms).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7801.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.

2. General Information
The block cipher "Kuznyechik" [GOST3412-2015] was developed by the
Center for Information Protection and Special Communications of the
Federal Security Service of the Russian Federation with participation
of the Open Joint-Stock company "Information Technologies and
Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was
approved and introduced by Decree #749 of the Federal Agency on
Technical Regulating and Metrology on June 19, 2015.
Terms and concepts in the standard comply with the following
international standards:
o ISO/IEC 10116 [ISO-IEC10116] and
o series of standards ISO/IEC 18033 [ISO-IEC18033-1]
[ISO-IEC18033-3].
3. Definitions and Notations
The following terms and their corresponding definitions are used in
the standard.
3.1. Definitions
Definitions
encryption algorithm: process that transforms plaintext into
ciphertext (Section 2.19 of [ISO-IEC18033-1]),
decryption algorithm: process that transforms ciphertext into
plaintext (Section 2.14 of [ISO-IEC18033-1]),
basic block cipher: block cipher that for a given key provides a
single invertible mapping of the set of fixed-length plaintext
blocks into ciphertext blocks of the same length,
block: string of bits of a defined length (Section 2.6 of
[ISO-IEC18033-1]),
block cipher: symmetric encipherment system with the property that
the encryption algorithm operates on a block of plaintext, i.e., a
string of bits of a defined length, to yield a block of ciphertext
(Section 2.7 of [ISO-IEC18033-1]),
Note: In GOST R 34.12-2015, it is established that the terms
"block cipher" and "block encryption algorithm" are synonyms.

encryption: reversible transformation of data by a cryptographic
algorithm to produce ciphertext, i.e., to hide the information
content of the data (Section 2.18 of [ISO-IEC18033-1]),
round key: sequence of symbols that is calculated from the key and
controls a transformation for one round of a block cipher,
key: sequence of symbols that controls the operation of a
cryptographic transformation (e.g., encipherment and decipherment)
(Section 2.21 of [ISO-IEC18033-1]),
Note: In GOST R 34.12-2015, the key must be a binary sequence.
plaintext: unencrypted information (Section 3.11 of
[ISO-IEC10116]),
key schedule: calculation of round keys from the key,
decryption: reversal of a corresponding encipherment (Section 2.13
of [ISO-IEC18033-1]),
symmetric cryptographic technique: cryptographic technique that
uses the same secret key for both the originator's and the
recipient's transformation (Section 2.32 of [ISO-IEC18033-1]),
cipher: alternative term for encipherment system (Section 2.20 of
[ISO-IEC18033-1]), and
ciphertext: data that has been transformed to hide its information
content (Section 3.3 of [ISO-IEC10116]).
3.2. Notations
The following notations are used in the standard:
V* the set of all binary vector strings of a finite length
(hereinafter referred to as the strings) including the empty
string,
V_s the set of all binary strings of length s, where s is a non-
negative integer; substrings and string components are
enumerated from right to left starting from zero,
U[*]W direct (Cartesian) product of two sets, U and W,
|A| the number of components (the length) of a string A belonging
to V* (if A is an empty string, then |A| = 0),

A||B concatenation of strings A and B both belonging to V*, i.e.,
a string from V_(|A|+|B|), where the left substring from
V_|A| is equal to A, and the right substring from V_|B| is
equal to B,
Z_(2^n) ring of residues modulo 2^n,
Q finite field GF(2)[x]/p(x), where p(x)=x^8+x^7+x^6+x+1
belongs to GF(2)[x]; elements of field Q are represented by
integers in such way that element
z_0+z_1*theta+...+z_7*theta^7 belonging to Q corresponds to
integer z_0+2*z_1+...+2^7*z_7, where z_i=0 or z_i=1,
i=0,1,...,7 and theta denotes a residue class modulo p(x)
containing x,
(xor) exclusive-or of the two binary strings of the same length,
Vec_s: Z_(2^s) -> V_s bijective mapping that maps an element from
ring Z_(2^s) into its binary representation, i.e., for an
element z of the ring Z_(2^s), represented by the residue z_0
+ (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i =
0, ..., n-1, the equality Vec_s(z) = z_(s-1)||...||z_1||z_0
holds,
Int_s: V_s -> Z_(2^s) the mapping inverse to the mapping Vec_s,
i.e., Int_s = Vec_s^(-1),
delta: V_8 -> Q bijective mapping that maps a binary string from V_8
into an element from field Q as follows: string
z_7||...||z_1||z_0, where z_i in {0, 1}, i = 0, ..., 7,
corresponds to the element z_0+(z_1*theta)+...+(z_7*theta^7)
belonging to Z,
nabla: Q -> V8 the mapping inverse to the mapping delta, i.e., delta
= nabla^(-1),
PS composition of mappings, where the mapping S applies first,
and
P^s composition of mappings P^(s-1) and P, where P^1=P.

4.3. Transformations
The following transformations are applicable for encryption and
decryption algorithms:
X[x]:V_128->V_128 X[k](a)=k(xor)a, where k, a belong to V_128,
S:V_128-> V_128 S(a)=(a_15||...||a_0)=pi(a_15)||...||pi(a_0), where
a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
S^(-1):V_128-> V_128 the inverse transformation of S, which may be
calculated, for example, as follows:
S^(-1)(a_15||...||a_0)=pi^(-1) (a_15)||...||pi^(-1)(a_0), where
a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
R:V_128-> V_128 R(a_15||...||a_0)=l(a_15,...,a_0)||a_15||...||a_1,
where a_15||...||a_0 belongs to V_128, a_i belongs to V_8,
i=0,1,...,15,
L:V_128-> V_128 L(a)=R^(16)(a), where a belongs to V_128,
R^(-1):V_128-> V_128 the inverse transformation of R, which may be
calculated, for example, as follows: R^(-1)(a_15||...||a_0)=a_14||
a_13||...||a_0||l(a_14,a_13,...,a_0,a_15), where a_15||...||a_0
belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
L^(-1):V_128-> V_128 L^(-1)(a)=(R^(-1))(16)(a), where a belongs to
V_128, and
F[k]:V_128[*]V_128 -> V_128[*]V_128
F[k](a_1,a_0)=(LSX[k](a_1)(xor)a_0,a_1), where k, a_0, a_1 belong
to V_128.